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Abstract 


A study was undertaken to capture the best practices for the development of reliable and 
robust spacecraft structures for NASA’s next generation cargo and crewed launch 
vehicles. In this study, the NASA heritage programs such as Mercury, Gemini, Apollo, and 
the Space Shuttle program were examined. A series of lessons learned during the NASA 
and DoD heritage programs are captured. The processes that “make the right structural 
system” are examined along with the processes to “make the structural system right”. The 
impact of technology advancements in materials and analysis and testing methods on 
reliability and robustness of spacecraft structures is studied. The best practices and 
lessons learned are extracted from these studies. Since the first human space flight, the 
best practices for reliable and robust spacecraft structures appear to be well established, 
understood, and articulated by each generation of designers and engineers. However, 
these best practices apparently have not always been followed. When the best practices are 
ignored or short cuts are taken, risks accumulate, and reliability suffers. Thus program 
managers need to be vigilant of circumstances and situations that tend to violate best 
practices. Adherence to the best practices may help develop spacecraft systems with high 
reliability and robustness against certain anomalies and unforeseen events. 


Introduction 

NASA is currently in the process of developing the next generation crewed and cargo 
launch vehicles and spacecraft to return to the moon and beyond. With the experience 
and knowledge base available from past similar programs, a document that captures 
salient aspects of successful programs is being developed. This document serves as an 
important guide in evaluating next generation and future spacecraft concepts and 
proposals. As a part of this guide, guides for individual technical disciplines are being 
developed. Reliable and robust structural systems design is one of these technical 
disciplines. The structures document describes pertinent issues, best practices, errors, 
miss-steps, lessons learned, and summarizes the previously used design processes (tools 
and standards) for the structures discipline. 
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Structural systems provide the basic framework to distribute external and internal loads 
resulting from all flight loads, ground loads, and associated operational and 
environmental loads. The primary objective of a structural system is to remain intact and 
experience minimal deformation when exposed to various environments, including 
ground processing, testing, launch, on-orbit, and re-entry operations. Structural systems 
also provide containment for pressures as in pressure vessels, pressure components, and 
pressurized structures. Structures tend to be a dependent subsystem in the sense that 
many requirements flow to structures from other subsystems. Space systems are very 
complex products of multiple disciplines and therefore are multidisciplinary, and 
therefore require a multidisciplinary analysis and optimization approach to capture 
various system interactions and sensitivities in order to obtain optimum system solutions, 
develop flight constraints, and validate and verify the system architecture. As a result, as 
illustrated in Figure 1, the development of the structural system is a complex iterative 
design process. 


This paper outlines the best practices that are essential to the design and production of 
reliable and robust spacecraft structural systems. First, the NASA heritage programs are 
examined. Lessons learned from these heritage programs are captured. Next the 
processes that need to be used to “make the right structural system” are examined. Third, 
the processes that need to be followed to “make the structural system right” are 
addressed. In addition, a brief review of methods for assessing reliability and risk for 
structural systems is provided. Finally, the lessons learned and the best practices are 
presented. 
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Figure 1. Complex interactions involved in structural system design. 


2 

American Institute of Aeronautics and Astronautics 



















Heritage Programs 


Heritage programs such as Mercury, Gemini, Apollo, and the Space Shuttle program (see 
Figure 2) are first examined [1-8]. A study of these programs resulted in several lessons 
learned. They can be briefly summarized as follows: 

• Design deficiencies result from the inability to predict load paths and load 
distributions accurately. All load paths in a complex structure may be 
difficult to discern. Thus careful analysis followed by a rigorous test program 
should be conducted to uncover any design deficiencies. 

• Testing of components requires care. Whenever possible, test hardware 
should be structurally similar to flight hardware. Special attention needs to be 
given to interfaces and boundaries to ensure that proper boundary conditions 
are imposed on the system or component. 

• Despite advances in analysis techniques, modeling and simulation verification 
and validation is a vital part of insuring the reliability of structural systems. 

• A building block approach is required to design and build reliable complex 
structures. Key steps that need be followed are: 

Fully characterize special materials used in the structures and structural 
components. 

Develop and validate, to the extent possible, accurate environmental 
predictions and verify the techniques used in the predictions. 

Develop accurate structural dynamic and stress models and validate their 
predictions. Avoid extrapolations of models and results. 

Develop a fracture control/nondestructive evaluation program. 

Develop extensive verification and validation procedures for: 

■ Modeling and analysis 

■ Coupon tests, subcomponent tests, component tests, full 
scale tests, and flight tests 

■ Analysis and test correlation 

Develop rigorous manufacturing and quality control procedures. 
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Figure 2. NASA Heritage Space Programs 

Making the Right Structural System 

Structural components (other than consumable or life limited items) are intended to have 
sufficient durability to perform adequately over the expected service life of the system. 
Structural systems deteriorate and/or develop damage due to a single cause or a 
combination of causes such as: (a) the design is inadequate for the applied loading and 
environment (conceptual design or calculation error), (b) the loading (amplitude, 
frequency, and/or interactions) is not well understood or underestimated, (c) the effects of 
environment are underestimated (requirements specification error), (d) a flaw in the 
materials or manufacturing is undetected (quality control and/or inspection error), and (e) 
unexpected damage occurrs through unforeseen means (e.g. handling damage). Thus to 
make the right structural system, several best practices, such as the establishment and 
understanding of the proper design and mission requirements, the implementation of 
trade studies, and the creation of sufficient verification and validation studies, need to be 
instituted. 

Design Requirements: 

The primary purpose of a structure is to protect spacecraft systems and to ensure that the 
system remains intact by maintaining the relative position of components under service- 
life loads and environments. Thus the fundamental requirement of any space structure is 
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to maintain structural integrity throughout the life of the structure. The process of 
defining structural requirements for new spacecraft typically begins with a review of 
previous development efforts and applicable technical standards. Both of these sources 
should be mined for appropriate design constraints, testing requirements, methodologies, 
and procedures. Care should be taken in selecting the requirements that will appear in the 
final system specification. All requirements should add value, be clear in their intention, 
and should not overly constrain the design and development. The list of requirements 
should be determined through an active negotiation process between the project 
management and the appropriate technical community. As a minimum, all NASA 
programs should evaluate NASA and other government standards for applicability. In 
general, these standards capture best practices, and they represent the starting point for 
the design, analysis, and verification of structural systems within NASA and other 
Government Agencies. If a program intends to deviate from the approach outlined in the 
NASA standards, then it will most likely require that documentation of the technical 
rationale or waiver be provided to the organizations performing technical oversight of the 
program during the formal review process. 


Mission Requirements: 

Performance: Structural design, including the implementation of new technologies, is 
driven by the system performance requirement goals. These performance requirements 
are driven by the mission requirements. Demanding performance requirements combined 
with volume and weight constraints often lead to greater sensitivities to design 
uncertainties. Design uncertainties exist in material properties, environments, loads, 
analyses, testing, and manufacturing. It is preferred to have a linear sensitivity of 
performance to these parameters. On the other hand, a high performance design may 
require nonlinear dependence on these parameters. In that case, great care must be taken 
to characterize material properties, define environments, and validate analyses. 
Manufacturing, quality control and assurance, and acceptance criteria must be enhanced 
to account for additional uncertainty. On the other hand, robust or conservative designs 
can be used at a price of higher weight and possibly lower performance. The optimum 
design choice probably lies between the two extremes. Trade and sensitivity studies must 
be performed to determine the trade offs and select the optimum design. 


Environments: The structural system is designed and tested to withstand all pertinent 
environmental conditions, naturally occurring and induced, to which the system will be 
subjected during its life-cycle. These life-cycle environments should be identified as 
early as possible in the structural design process, and appropriate loading conditions 
should be defined as requirements for design and testing. Typical environments include 
production, testing, integration, storage, transportation, launch, ascent, thermal, radiation, 
meteoroid impact, vacuum, dust or contamination, re-entry, and landing. Care should be 
taken to consider load uncertainties, combine environmental effects, and contingency 
load cases. The structural system should also be designed to withstand the cumulative 
effects of the environments without loss of mission performance. 
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Trade Studies: 

The preliminary requirements for the design of a structural system typically involve the 
definition of mass allowables, volume constraints, and the specification of both static and 
dynamic design loads. These requirements stipulate the trade space for evaluating 
different structural concepts. In addition, manufacturability, inspectability, and cost (both 
initial and lifetime) may be additional constraints on the trade space. In most cases, the 
structural design trades are aimed at minimizing vehicle weight while showing positive 
margins under the specified design loads and providing sufficient stiffness to meet 
mission goals. One of the first trades in developing a preliminary structural design is to 
define the load paths and the type of structure that will sustain the design loads. Trade 
studies can also be performed to evaluate different material types (for example, 
composite vs. metal), the implementation of new technologies, and different construction 
methods. 

Verification and Validation (V/V): Verification and validation are terms often used in 
relation to the qualification of reliable structures. The terms verification and validation 
are often misused or used interchangeably. NASA system engineers define verification 
as “proof of compliance with specification as determined through a combination of test, 
analysis, and demonstration” [9]. Validation is defined as “proof that a product 
accomplishes the intended purpose as determined through a combination of test, analysis, 
and demonstration” [9]. In other words; verification is demonstrating that the product 
meets the design requirements, and validation is demonstrating that the product meets the 
goals of the intended application. These definitions originate at the system level and 
primarily apply to hardware products. A second set of definitions are commonly used in 
reference to computational models. Model verification, as defined by AIAA, ASME, and 
DoD [10-12], is “the process of determining that a computational model accurately 
represents the underlying mathematical model and its solution.” Model validation is “the 
process of determining the degree to which a model is an accurate representation of the 
real world from the perspective of the intended uses of the model.” In this case, 
verification is ensuring the computational model is correct in terms of the governing 
equations (stress, strain, motion); validation is ensuring the modeling effort captures the 
physics of the intended application. Producing reliable structures requires meeting both 
sets of definitions. For example, computational models need to endure sufficient V/V to 
define or reduce uncertainty and demonstrate sufficient accuracy to support program 
decisions. This is particularly important when computational models are to be used for 
product V/V. Best practice dictates that all structural systems should undergo a rigorous 
V/V process. 

The following are examples of lessons learned taken from various past aerospace 
programs that relate to “making the right structural system”: 

• Document engineering requirements as clearly as possible. All requirements, 
including seemingly minor changes, should be clearly documented and 
tracked in order to avoid misinterpretation. 

• In a totally new system, requirements may have to be continually reviewed for 
applicability. Requirements may change as a result of trade studies or design 
maturity. 
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• Each requirement should be traceable to a compliance matrix. All test data 
should be inspected for trends and “out of family” values, even when all 
values are within the expected range. Anomalous data should be thoroughly 
investigated. 

• Impact of requirements changes for a subsystem should be properly evaluated 
on the system and interfacing subsystems. 

• Review out-of-flow processes to ensure no steps are bypassed. 

• Spacecraft must be designed to withstand worst-case life-cycle environments. 
All possible load combinations should be considered. Credible mission 
failure scenarios should be considered in evaluating the failure modes of the 
structure. 


Making the Structural System Right 

The key aspects for reliable and robust structures are design, analysis, manufacturing and 
process control, testing, and quality assurance. Each topic must be properly addressed to 
“make the structural system right”. 

Design: 

Primary and secondary structures of space systems are designed to provide sufficient 
strength, rigidity, and other characteristics required to sustain the critical loading 
conditions without damage or degradation of performance throughout their service life. 
Several key design aspects necessary to ensure a reliable structure are structural integrity 
requirements, fatigue and fracture control, factors of safety, material properties, and 
tolerance requirements. 

Analysis: 

Structural analyses are performed to predict structural response to the critical loads and 
environments anticipated during the service life of the structure. Typical analyses 
include investigations of fatigue, safe-life, and fail-safe considerations. These analyses 
are important to establish the service life, tolerance of the structure to defects, design 
margins, and residual strength. To ensure a reliable structure, it is important to verify the 
analysis models and validate the analysis predictions over the range of use. 

Manufacturing and Process Control: 

The design of reliable and robust structures requires well-characterized fabrication 
processes and procedures. The fabrication process for each structural item is a 
controlled, documented process. Proven processes and procedures for fabrication and 
repair are needed to preclude damage or material degradation during material processing 
and manufacturing operations. An inspection plan is required to identify all key process 
parameters essential for design verification. In-process inspection or process monitoring 
are needed to verify setup and acceptability of critical parameters during the 
manufacturing process. 
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Testing: 

Demonstrations are required to ensure that a structural system meet both mission and 
regulatory requirements. These demonstrations can be performed in four ways: 1) by 
heritage/similarity, 2) by analysis, 3) by qualification testing, and 4) by a combination of 
1, 2, and 3. Qualification through heritage/similarity is not a reliable process without 
adequate analyses and tests to conclusively demonstrate similarity in materials, loads, 
environments, and responses. Qualification through analysis may be used when testing 
cannot demonstrate a target environment, such as zero-g or combined load effects, or the 
tests required are hazardous or unrealistic in terms of cost and schedule. By far the best 
approach to qualification is through testing. The mantra for a qualification-testing 
program should be “Test what you fly, and fly what you test.” 

Quality Assurance: 

A quality assurance program based on a comprehensive study of the product and 
engineering requirements is established to ensure that necessary nondestructive 
inspection and acceptance proof tests are performed effectively. The program ensures 
that no damage or degradation occurred during material processing, fabrication, 
inspection, acceptance tests, shipping, storage, assembly, and operational use and 
refurbishment, and that defects that could cause failure are detected or evaluated and 
corrected. Acceptance proof tests are conducted on pressure vessels, pressurized 
structures, and composite structures for verification of workmanship. 


Reliability Assessment Methods 

Risk and reliability are complementary terms. Reliability is a quantified probabilistic 
assurance that a system or a product/device (or structure) will perform satisfactorily (i.e. 
will not fail, and will satisfy performance requirements) during its intended lifetime 
under specified operating conditions. Probability of failure refers to likelihood that the 
system will fail to satisfy the designated performance requirement. Risk, on the other 
hand, combines the probability of failure and the consequence of failure. Risk is 
generally defined as a product of the probability of failure and the cost (consequence) of 
failure. 

A distinction also needs to be made between probability and statistics. Statistics is the 
mathematical quantification of uncertainty (mean, standard deviation, and other higher 
moments) mainly through the analysis of measured data. Probability theory uses 
statistical data to quantify the likelihood of occurrence of specific events. 

Many structural systems (particularly space propulsion structures) are one-of-a-kind and 
hence have little or no learning curve. Generally, space propulsion systems are relatively 
large and expensive; and often they are not fully tested prior to their use nor are they 
tested repeatedly to create a statistical database. These propulsion systems may also have 
relatively long exposure periods and are designed for low risk. Often there is little or no 
redundancy is in these systems because of cost and weight considerations. These factors 
make the reliability analysis of these systems extremely challenging. 
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Margins and Factors of Safety : 

Engineers have always recognized the existence and presence of uncertainty in the 
analysis and design of structural systems. These uncertainties can arise due to human 
factors (error in analysis and/or fabrication), limitations in technology, inherent 
randomness in the material properties, the environment in which the system operates, and 
the specific utilization of the structural system. Traditionally, uncertainty has been 
accounted for by using safety factors and/or knock-down factors. Structural reliability 
and robustness is improved by increasing the safety margins for critical structures (with a 
cost and weight penalty) and by practicing rigorous quality assurance (QA) and quality 
control (QC) techniques. 

Depending upon the nature of their criticality, space system structures and structural 
components are designed using either a fail-safe or a safe-life design philosophy. Fail- 
safe systems, sometimes referred to as fool-proof systems, are designed such that their 
failure does not affect other components and systems. In the safe-life design philosophy, 
systems are designed to survive a specific design life with a chosen reserve. 

Historically, the use of empirical safety factors has been the prevalent method of making 
designs more reliable. However, deterministic safety factors do not provide a 
quantitative measure of risk. In contrast, probabilistic analysis methods can provide this 
information. 

Traditionally, safety factors are estimated based on rules-of-thumb and experience and 
are intended to be conservative. Selection of safety factors is insensitive to required 
reliability. It is possible to establish relationships between the traditional safety factors 
and the more rigorous probabilistic methods provided the underlining distributions and 
the statistical parameters for various design factors are known. Lately, there has been a 
push to relate safety factors to probabilistic or statistical methods. Safety factors that are 
based on standard probabilistic analyses provide a transparent approach to the end user 
recognizing the statistical nature of material properties and stress, the applicability of the 
failure theory, fidelity of the analysis techniques, and the required reliability. In applying 
this methodology, all design parameters of interest are typically assumed to have normal 
distributions [13]. This is an approximation, but in the absence of adequate data, the 
normal distribution assumption is advantageous in that it can be fully characterized by 
just two parameters: the mean and the variance. Since the applied stress and allowable 
strength are statistical in nature and assumed to be normal (with known parameters), the 
safety factor can be shown to be a function of probability of failure, mean and standard 
deviation of strength, and mean value and standard deviation of applied stress. 

Probabilistic Approaches: 

Usually, in risk-based design methodologies, a traditional load and resistance model is 
used. In its most fundamental form, design safety is ensured by requiring that the 
resistance is greater than the load. The safety factor is defined as the resistance divided 
by load. The determination of resistance and load distributions depend on the specific 
application. In aerospace applications, another measure of safety, margin of safety 
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(MOS), is often used. Positive values of MOS indicate safe designs, and negative values 
indicate unsafe designs. 

In a probabilistic analysis, the design safety is ensured by requiring that the overlap 
between the load and resistance (strength) probability distribution curves be minimized 
within the constraints of economy. Figure 3 illustrates and compares the traditional and 
probabilistic design methodologies. The probability of failure is defined as the total area 
of the overlap [14]. The shapes of the curves are represented by probability density 
functions. In certain situations, the resistance distribution curve needs to account for 
more than the traditional strengths. For example, when the structural components are 
subjected to variable amplitude, high frequency loading where fatigue is the primary 
failure mechanism, the resistance needs to properly account for history dependent fatigue 
damage accumulation. 


Traditional Factor Of Safety Approach 


Factor of safety Knockdown factor 



Probabilistic Approach 


Probability 

density 



Resistance 

^strength) 


Failure 
(overlap region) 


Load or resistance 


Figure 3. A comparison of traditional vs. probabilistic design methodologies 

Generally, the methods to quantify the element level reliability (component reliability) 
can be broadly grouped into four categories as, (1) first-order reliability methods 
(FORM) and second-order reliability methods (SORM), (2) Monte Carlo simulation and 
its derivatives like efficient sampling methods etc., (3) response surface approaches, and 
(4) sensitivity-based probabilistic finite element analysis. References 14-17 provide 
details on these methods. 
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The state-of-the-art in the area of structural reliability assessment has improved 
significantly in the past two decades both in component and system level reliability 
estimation. Many commercial finite element codes have adopted probabilistic analyses 
methods [18,19]. These methods have been applied successfully in the areas of material 
uncertainty characterization, probabilistic fracture mechanics, probabilistic fatigue 
analysis, and probabilistic analysis of structural systems. However, these methods are 
computationally intensive. The challenge that remains is to synthesize, adapt, and 
simplify research efforts into practical and efficient methods that can be used for a variety 
of engineering applications. 


Best Practices Based on Lessons Learned 

The following are examples of the best practices developed based on the lessons learned 
taken from various past aerospace programs. Adherence to these practices will help 
ensure the development of reliable and robust structural systems. 

Qualification 

• Thoroughly evaluate heritage systems and data (test and analysis) as well as 
the applicability of using “existing” or “flight proven” equipment. 

• Unexpected hardware behavior in test and/or flight is often a sign of 
impending failure and must be thoroughly investigated. Perform thorough 
post-flight analyses. 

• Replacement materials should be sufficiently tested under conditions that 
realistically simulate flight conditions, and the results should be correlated 
with those exhibited by the original material systems. 

• Study past anomalies that involved similar designs or technologies and 
implement appropriate corrective actions. 

• Safeguard flight hardware against inadvertent damage due to handling and 
over-testing. 

• Do not succumb to launch schedule pressure and compromise engineering 
recommendations. 

Analysis and Testing 

• All design changes must be thoroughly analyzed and tested. 

• Analysis should properly account for all flight environments. 

• Inaccuracies in material properties, structural loads, and environments continue to 
threaten mission success. Validation of material properties, structural loads, and 
environments through rigorous test campaigns is the best method of insuring 
reliable structures. 

• Test failures must be thoroughly investigated and the root causes of the test 
anomalies ascertained and understood. 

• Verify field installation of all single point failure items. 
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Design, Manufacturing, and Assembly 

• Thoroughly verify the interfaces of all subcontracted items. 

• Honeycomb structures should be vented wherever possible. If un-vented design 
cannot be avoided, sufficient testing including development, qualification, and 
proof tests should be conducted under applicable temperature and vacuum 
conditions. 

• Changes and some non-conformances typically do not go through material review 
board processes. All changes and discrepancies should be properly evaluated. 

• 1 l th -hour modifications at the launch site require thorough evaluations. 

• Protect the flight hardware from handling and transportation damage. Provide 
ample checks for damage detection. 

• Design hardware to minimize the areas that cannot be inspected, and avoid the use 
of potential contaminants whenever possible. Account for all loose materials used 
during assembly. 


Concluding Remarks 

Spacecraft structural systems are complex and have multiple interacting components. As 
such these structural systems can only be developed through complex iterative design 
process. Various best practices that lead to the development of reliable and robust 
spacecraft structures are reviewed. 

NASA heritage programs such as Gemini, Mercury, Apollo, and the Space Shuttle are 
examined. Lessons learned from these programs are captured. To be able to build an 
appropriate structural system for a mission, design and mission requirements and the 
environment must be adequately defined. Then, trade studies and verification and 
validation need be performed. To build the structural system that performs as intended 
needs design, analysis, manufacturing and process control, testing, and quality assurance. 

Since the first human space flight, the best practices for reliable and robust spacecraft 
structures appear to be well established, understood, and articulated by each generation of 
designers and engineers. However, the implementation of these best practices appears to 
be a problem. When the best practices are ignored or short cuts are taken, reliability 
suffers and risks accumulate. Program managers deviate from best practices due to the 
programmatic and resource (cost and schedule) issues brought on by anomalies and 
unpredicted problems, and unforeseen events. Thus for a reliable structural system, 
program managers need to be vigilant when anomalies and unforeseen problems arise 
that tend to violate best practices. 
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